New Rules for Password Protection

New Rules for Password Protection

Photo Credit: iStock/Daviles

For more than a decade, we’ve been told to use “strong” passwords that combine upper- and lower-case letters, numbers and special characters. Not only must they be long and complex, the mantra went, but a different password was needed on each online account – changed to another unique (and mind-numbing) letters/numbers/symbols combination every 90 days or so.

Now, the man who originally developed those password rules in 2003 as official guidance for government employees, says you should forget all that.

Why the takeback? Because those %&$#?@!-inspiring but apparently misguided guidelines “just drives people bananas and they don’t pick good passwords no matter what you do,” Bill Burr, now 72 and retired from his job as manager at the National Institute of Standards and Technology, told the Wall Street Journal.

Apparently, most folks couldn’t choose and remember dozens of criteria-meeting, jibberish-intended passwords like “jK&80+y$/hh#&9v+.” So they opted for something they could remember like “MyWe@kP&55w0rd1” and when (or if) passwords were updated, made predictable changes like switching 1 to 2 for a newer “MyWe@kP&55w0rd2.” Hackers weren’t fooled.

Now, the NIST has new guidelines, written with Burr’s input. Password should be long and easy-to-remember, with no mandatory “combinations” or periodic changes. Although there’s no guarantee NIST’s more user-friendly advice will be adopted by consumers or password-requiring websites, some specifics:


  • Passwords should be at least 8 characters and up to 64 characters long. Longer is stronger, as password length is the best contributor to its strength.
  • Rather than requiring a combination of letters, numbers, and special characters, emphasis should be what’s easy to remember (while long) – without forced combinations. Today’s leading advice by other experts is to create a memorable pass phrase or sentence in the double-digits, such as “Rufus has loved belly rubs since puppyhood,” a line from a favorite song, or combining nonsensical words such as “OceanographicPeachesSimplicity.”
  • Forget the 90-day rule (as if you really followed it?) that usually results in weaker replacements, as advised last year by the Federal Trade Commission. Instead, change passwords when there’s a reasonable threat, such as a data breach.
  • Websites (and you) should forbid the use of passwords known to have been previously stolen, simple dictionary words, repetitive or sequential characters like “12345678” or “qwerty.” Another don’t: Using passwords that contain the name of the user, service provider or other account-related information.


All good advice from NIST, but there’s more you can (and should) do for better, less-hackable passwords:


  1. Check ‘em. Before selecting a password, do an online search of “Password Checkers” to gauge contenders’ strength. Also review frequently issued “Worst Passwords” lists for absolute no-nos – “password,” even tweaked, usually ranks high – and check if your passwords have been compromised against 306 million that have been. Meanwhile, a recent study by password manager Dashlane ranks popular websites on their password security policies.
  2. Vault ‘em. A password manager removes the guesswork of having to remember many passwords. With these apps – some freebies and others with added features for up to $50 a year covering several devices – you only need to remember one master password (so make it good), and it remembers your log-in information at different websites. Some password managers also generate strong passwords, changed with each log-in.
  3. Reinforce ‘em. With two-factor authentication, there’s an extra layer of security to vital digital accounts. To access your account, you supply two factors – your password (something you know) and something you have, such as your smartphone, fingerprint or iris scan. For instance, when you log in with your usual password, the two-factor authentication site sends your phone a six-digit code that must be entered before gaining access. Check for websites that offer two-factor authentication.


For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.

 Also of Interest

See the AARP home page for deals, savings tips, trivia and more.


Source link

New Make-A-Wish Scam a Triple Threat That Swindled $20 Million Last Time

Photo credit: iStock/leolintang

A new scam feigning the Make-A-Wish Foundation goes beyond just being despicable for exploiting the respected name of a national charity helping children with life-threatening medical conditions.

It combines a trio of the most successful types of schemes – sweepstakes scams, charity scams, and government imposter scams – increasingly used by telephoning fraudsters, and mimics a near-identical ruse seven years ago that bilked older Americans out of $20 million.

Scammers posing as employees of the Federal Trade Commission or non-existent “Consumer Protection Agency” are currently calling Americans to say they have won a six-figure cash sweepstakes run by Make-A-Wish.

The as-expected gotcha: An upfront fee upwards of $4,500 first must be paid to cover taxes, insurance and/or courier services, according to warnings from federal and state officials across the U.S. The as-you-can-guess realities:

  • Make-A-Wish doesn’t participate in sweepstakes. Or chain letters. Or telemarketing of any kind.
  • The FTC’s only participation in sweepstakes? Trying to stop these scams. No acting as messenger or handling sweepstakes money. Also, no chain letters or telemarketing of any kind.
  • There is no “Consumer Protection Agency.” It’s a smack at two government watchdog agencies — the Consumer Financial Protection Bureau, which oversees banks and financial institutions, and the Bureau of Consumer Protection, an agency within the FTC. Along with the equally fake “Consumer Protection Bureau,” the bogus “Agency” title is used in other scams.


You should never, ever believe that a government employee (or anyone else) is calling to give you sweepstake or lottery money; if you win a lottery, for instance, it’s on you to claim a prize. Or that you need to pay upfront to get a prize. Or that a respected and admired charity is footing the bill instead of using donations for their intended purpose.

It should be that obvious. But it’s not.

The new Make-A-Wish scam is a near repeat of a ruse in 2010. Then, scammers working from boiler rooms in Costa Rica held the same make-believe sweepstakes, supposedly sponsored by Make-A-Wish. They claimed to be from the FTC or Internal Revenue, reinforcing that lie with internet phone technology to display Washington, D.C.’s 202 area code on targets’ Caller ID (like they’re doing again now before instructing “winners” to call a phone line with an Arizona area code, where Make-A-Wish is headquartered).

Before authorities busted that crime ring, $20 million was swindled under the guise of paying upfront “luxury taxes” on touted winnings – primarily from older Americans, a population known to be generous in charitable donations (especially those said to help sick children), patriotic and trusting in their government, and especially vulnerable to sweepstakes scams. Notice how many people buy lottery tickets despite a 1-in-292 million shot of winning Powerball and ask yourself: Who isn’t receptive to the idea of receiving a fortune out of the blue?

Like other charities, Make-A-Wish gets spoofed every few years (another name-dropping sweepstakes occurred in 2012). Other bogus sweepstakes “scampaigns” currently making the rounds use the same fake “Consumer Protection Bureau” and “Agency,” moniker, including one that scammed $40,000 from a retired couple in Ohio.

The names, however, do not matter. Charities don’t give away money; they hope to collect it. Your tax dollars don’t go to awarding or managing sweepstakes or lotteries. Only scammers and their prize lies require upfront funds to supposedly award you money.

It’s may be a triple threat but has an easy answer: Just hang up.

For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.

Source link

What to Know About the Top Summer Scams

What to Know About the Top Summer Scams

As temperatures rise, so do certain scams. Here’s how to avoid getting burned in summer’s most common cons:

Home Repairs
Conning contractors typically come to your home unexpectedly, offering steep discounts on driveway resurfacing, roof work, tree trimming or other “necessary” repairs they happen to see while driving by or soliciting business door-to-door. Most seek an upfront payment to “go buy materials” and then disappear. Others do fast and faulty repairs (like spreading used motor oil to coat driveways) or may stop mid-job to extort more money … or find subsequent chores to continue the wallet-draining. What to know:

  • Good contractors are usually too busy to make unsolicited house calls; out-of-state license plates suggest fly-by-day “gypsy travelers” who spend summers going state to state to con elderly homeowners.
  • Despite scare tactics urging immediate repairs, most home repairs can wait until you get several bids from contractors. Get recommendations (and check results) from neighbors, building officials and lumberyards/plumbing/electrical supply shops where pros shop.
  • Don’t pay until the job is complete. Reputable contractors have credit lines to buy materials, although a deposit may be required for major projects like replacing a roof, windows, etc.


Vacation Rentals
Angling for upfront payment (usually by wire transfer or prepaid debit card), scammers steal photos and descriptions of properties from Realtor, hotel or vacation rental websites, and then clone the ads, offering supposed hot-spot “rentals” at discounted prices. What to know:

  • Before answering ads, Google the address, as well as names, emails and phone numbers of the supposed landlord or agent. Also cut and paste into a search engine large chunks of the descriptive text. Red flags include the property is actively up for sale (not for rent), a nonexistent address, an address listed for a business or other nonresidential property, and/or postings by people who fell victim to this particular scammer.
  • Don’t rely solely on email correspondence. Many rental scams are carried out by Nigeria-based scammers (so beware of poorly written ads). You’ll want to talk by phone; beware of foreign accents and area codes that don’t correspond with that of the property’s location.
  • Travel reservations and deposits should be made with a credit card or PayPal — never with a wire transfer or prepaid debit card.


Door-to-Door Sales
Summer and fall are prime time for all types of salesmen to come knocking — literally. Some may be legit but others are not. Magazine sales, often touted as a fundraiser, are especially popular bait preying on older Americans; other popular pitches are for bogus charities, home security systems, even overpriced household devices such as vacuum cleaners. What to know:

  • Just say no to strangers. Prices of magazine subscriptions sold door to door, for instance, are often marked up about 300 percent. Legitimate salespeople and fundraisers will have “leave-behind” material to review before opening your wallet.
  • If you do make a purchase and have regrets, act quickly. The FTC’s “Cooling-Off Rule” dictates a three-day cancellation allowance for a full refund on purchases over $25. Legitimate salesmen must reveal this rule during their pitch; if they don’t, assume it’s a scam.
  • Don’t allow sales reps into your home. Asking for a drink of water or to use your bathroom is a popular way to steal medications, purses and other grab-and-go items.


Two of three moves occur in the summer, and thousands each year end this way: After a moving company quotes a reasonable (if not lowball) offer, after the truck is loaded, the quoted price jumps sky-high, and belongings may be held hostage until customers pay the extra money. What to know:

  • Stick with known companies. Most rip-off rogues are movers who advertise on Craigslist or crude roadside signs. Visit and verify a company’s licenses and complaint history.
  • Pass on any mover who won’t do an on-site inspection of your goods (instead giving a sight-unseen estimate), won’t provide a written estimate or says workers will determine the price after loading, demands a large deposit before the move, or asks you to sign blank or incomplete documents. Those red flags indicate a scammer.
  • Moving boosts your risk of identity theft. Know how to protect yourself before, during and after a move.


For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and keep tabs of scams and law enforcement alerts in your area at our Scam-Tracking Map.


Source link

Pin It on Pinterest